hxxps://www[.]pdfshaper[.]com/index[.]html

Analysis

max time kernel
123s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.pdfshaper.com/index.html

Score

8^/10

discovery spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

pdfshaper_free_14.1.exepdfshaper_free_14.1.tmpwinx-dvd-ripper-bawa.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exePDFShaper.exeAssistant_110.0.5130.23_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exe

pid	process
5820	pdfshaper_free_14.1.exe
5928	pdfshaper_free_14.1.tmp
1616	winx-dvd-ripper-bawa.exe
6068	OperaSetup.exe
6132	OperaSetup.exe
4408	OperaSetup.exe
4200	OperaSetup.exe
1348	OperaSetup.exe
5548	PDFShaper.exe
5788	Assistant_110.0.5130.23_Setup.exe_sfx.exe
2076	assistant_installer.exe
3988	assistant_installer.exe

Loads dropped DLL 10 IoCs

Processes:

pdfshaper_free_14.1.tmpOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeOperaSetup.exeassistant_installer.exeassistant_installer.exe

pid	process
5928	pdfshaper_free_14.1.tmp
6068	OperaSetup.exe
6132	OperaSetup.exe
4408	OperaSetup.exe
4200	OperaSetup.exe
1348	OperaSetup.exe
2076	assistant_installer.exe
2076	assistant_installer.exe
3988	assistant_installer.exe
3988	assistant_installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\OperaSetup.exe	upx
behavioral1/memory/6068-318-0x0000000000780000-0x0000000000CB5000-memory.dmp	upx
behavioral1/memory/6132-325-0x0000000000780000-0x0000000000CB5000-memory.dmp	upx
behavioral1/memory/4408-337-0x0000000000160000-0x0000000000695000-memory.dmp	upx
behavioral1/memory/4408-342-0x0000000000160000-0x0000000000695000-memory.dmp	upx
behavioral1/memory/4200-345-0x0000000000780000-0x0000000000CB5000-memory.dmp	upx
behavioral1/memory/1348-362-0x0000000000780000-0x0000000000CB5000-memory.dmp	upx
behavioral1/memory/6132-494-0x0000000000780000-0x0000000000CB5000-memory.dmp	upx
behavioral1/memory/4200-495-0x0000000000780000-0x0000000000CB5000-memory.dmp	upx
behavioral1/memory/6068-493-0x0000000000780000-0x0000000000CB5000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OperaSetup.exeOperaSetup.exe

description	ioc	process
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe
File opened (read-only)	\??\D:	OperaSetup.exe
File opened (read-only)	\??\F:	OperaSetup.exe

Drops file in Program Files directory 10 IoCs

Processes:

pdfshaper_free_14.1.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\PDF Shaper Free\PDFShaper.exe	pdfshaper_free_14.1.tmp
File created	C:\Program Files (x86)\PDF Shaper Free\is-0CR86.tmp	pdfshaper_free_14.1.tmp
File created	C:\Program Files (x86)\PDF Shaper Free\is-91E19.tmp	pdfshaper_free_14.1.tmp
File created	C:\Program Files (x86)\PDF Shaper Free\is-3ICRV.tmp	pdfshaper_free_14.1.tmp
File created	C:\Program Files (x86)\PDF Shaper Free\is-OQ0OB.tmp	pdfshaper_free_14.1.tmp
File opened for modification	C:\Program Files (x86)\PDF Shaper Free\unins000.dat	pdfshaper_free_14.1.tmp
File opened for modification	C:\Program Files (x86)\PDF Shaper Free\PDFShaper.chm	pdfshaper_free_14.1.tmp
File opened for modification	C:\Program Files (x86)\PDF Shaper Free\pdfium.dll	pdfshaper_free_14.1.tmp
File created	C:\Program Files (x86)\PDF Shaper Free\unins000.dat	pdfshaper_free_14.1.tmp
File created	C:\Program Files (x86)\PDF Shaper Free\is-PVPTA.tmp	pdfshaper_free_14.1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

OperaSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaSetup.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 348445.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 348445.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepdfshaper_free_14.1.tmpmsedge.exe

pid	process
1244	msedge.exe
1244	msedge.exe
4688	msedge.exe
4688	msedge.exe
2408	identity_helper.exe
2408	identity_helper.exe
5648	msedge.exe
5648	msedge.exe
5928	pdfshaper_free_14.1.tmp
5928	pdfshaper_free_14.1.tmp
5736	msedge.exe
5736	msedge.exe
5736	msedge.exe
5736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious use of FindShellTrayWindow 57 IoCs

Processes:

msedge.exepdfshaper_free_14.1.tmpPDFShaper.exe

pid	process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
5928	pdfshaper_free_14.1.tmp
5548	PDFShaper.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PDFShaper.exe

pid process

5548 PDFShaper.exe

pid	process
5548	PDFShaper.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4688 wrote to memory of 2756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2576	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1244	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1756	4688	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pdfshaper.com/index.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0f5646f8,0x7ffd0f564708,0x7ffd0f564718
2⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
PID:2576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
2⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
2⤵
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
2⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
2⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
2⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5576 /prefetch:8
2⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6472 /prefetch:8
2⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
2⤵
PID:1816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
2⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4068 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5648

C:\Users\Admin\Downloads\pdfshaper_free_14.1.exe
"C:\Users\Admin\Downloads\pdfshaper_free_14.1.exe"
2⤵
- Executes dropped EXE
PID:5820

C:\Users\Admin\AppData\Local\Temp\is-UOUN6.tmp\pdfshaper_free_14.1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UOUN6.tmp\pdfshaper_free_14.1.tmp" /SL5="$701F8,7452700,824320,C:\Users\Admin\Downloads\pdfshaper_free_14.1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5928

C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\winx-dvd-ripper-bawa.exe
"C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\winx-dvd-ripper-bawa.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
4⤵
- Executes dropped EXE
PID:1616

C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\OperaSetup.exe" --silent --allusers=0 --otd=utm.source:BRW,utm.medium:pb,utm.campaign:GLBA
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:6068

C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=102.0.4880.16 --initial-client-data=0x314,0x318,0x31c,0x310,0x320,0x73113520,0x73113530,0x7311353c
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6132

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OperaSetup.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4408

C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\OperaSetup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\OperaSetup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6068 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240523100729" --session-guid=110382e3-0b5e-4505-ab97-411f9b67a048 --server-tracking-blob=ODZhZmZkMTJkNzMyMjM3MjUzMjA2MDQxMmMwNjAzZDUwZWNiNzcxNjhlNzNkNmY4NTEzNzdlMTUzYzllZDA0Mzp7ImNvdW50cnkiOiJFUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUJSVyZ1dG1fbWVkaXVtPXBiJnV0bV9jYW1wYWlnbj0lN0JuYW1lX29mX3NvZnR3YXJlIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNjkyODg1NTcxLjMzNTkiLCJ1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0OyBydjoxMDkuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMTYuMCIsInV0bSI6eyJjYW1wYWlnbiI6IkdMQkEiLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6IkJSVyJ9LCJ1dWlkIjoiY2RjNWUyZTktM2E2YS00YTgzLWE0YTctNTgwZjI0MzExNWNhIn0= --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6C05000000000000
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:4200

C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\OperaSetup.exe
C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=102.0.4880.16 --initial-client-data=0x300,0x304,0x308,0x2dc,0x30c,0x723e3520,0x723e3530,0x723e353c
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405231007291\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405231007291\assistant\Assistant_110.0.5130.23_Setup.exe_sfx.exe"
5⤵
- Executes dropped EXE
PID:5788

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405231007291\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405231007291\assistant\assistant_installer.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405231007291\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405231007291\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=110.0.5130.23 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0xcc30e8,0xcc30f4,0xcc3100
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3988

C:\Program Files (x86)\PDF Shaper Free\PDFShaper.exe
"C:\Program Files (x86)\PDF Shaper Free\PDFShaper.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pdfshaper.com/after-install.html
4⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd0f5646f8,0x7ffd0f564708,0x7ffd0f564718
5⤵
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1
2⤵
PID:628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13390592535781893507,6763134406286796571,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6716 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PDF Shaper Free\PDFShaper.exe
Filesize
9.4MB

MD5
d183ca89b18270bc0c0509af5e897e50

SHA1
8129d35893bb406cb611c7b08f2b3ee26045b840

SHA256
9daeebc8c5f9ea39c29d55b9317e94a9dc0fb7a24016b5b3f0ccbbd8e589e9af

SHA512
eea03d86725de6e7250e27f412ac5f8571623b5aea729b64db68a0c753e01a8b5f79cdd38503d4ecce48d560baf2de4ea2a9828a48d346a21ef8e17d780e62eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F9AD2B9EDD5A295F27B408484F8EFAE
Filesize
503B

MD5
e899a841776b39542f068eae1ace7996

SHA1
27f657c3413d0fcf0736146229dc66a4bdf8713b

SHA256
1ced6b74755b36b14bc618d7ffe00e0600133ca1e98a563b0624b12c564e1853

SHA512
da4744ddae1c2cd3831762d57e1c01fd031274db2cc010526367c7a31aa870fd9cad7dca2393b57a2e41319f22a35d34caadcfdcf2f7ede0e501cdeac2392fd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
d154a6591be67784f7211fb24318ee18

SHA1
2af5daecf1148ebac1834e264ac08f629c96719c

SHA256
a551897283426f7884694a1e7303b88d247e977853de1aa29a31ed95c9618dbb

SHA512
f55edbe64a5d266886b89f2f38856c5b19c8a1366a547adf1d71b59032c6d99313892eb6acbc503f775850454acf08ade49889abc0c99997200c6a8e082510d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F9AD2B9EDD5A295F27B408484F8EFAE
Filesize
548B

MD5
4732bdde83ea5755b8615c11166f9cdb

SHA1
34348be7a828fda9d7470077884930455f0f6dc2

SHA256
f703e9d1381371794ab909a3528f5f66b6710bd8325c19b0de6faf8ac84ca77a

SHA512
bb6f2e2f5a82f6fb0cd2e3e9b799892a27941cb9dcd571b141774e5d7188ca440fe0d2931fd5e0bb46eb689edccf691527d572601618ca510d52edbf562c5720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7f61afa8-c97d-45b9-834d-1451222f60bd.tmp
Filesize
5KB

MD5
e44078c856d03a429396d082c47a2f12

SHA1
1debf77339d85f1cf78cf1dba40a9e2d558eeb5c

SHA256
39b72a4d038915350a661bfb981082df07e2e2b089607cd48e8c27756cf877d2

SHA512
21b5a3f44d1637873fd0b049096ceedf20037ed9c21c496ad072ceff591bac571e3969682cc4399a2da0d07895953cffa9c8c8a91a3e92e96a1d6a36926a1c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
Filesize
19KB

MD5
b776233322697ee26b8834e35359764d

SHA1
327a743d304c4b27f243a5d4738c401e5dec3e24

SHA256
15e5a253f62978e07e4823d23bb97d956099ccde8704fdd38aba02b11cf7e40d

SHA512
73eec5c89887b99f089c610826dbe273a86f9f4c0f5f0f987d87b7d9ed12e78a1cb5741d30d23d21aff6536dc34a1258cb3eda9a811d2294e96af4fcda1637a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fa79a136b870715b_0
Filesize
52KB

MD5
89ec067494376b9a9034f68fe31b7c00

SHA1
0f16debe835c9905ffb7c50492be72e9755384d2

SHA256
3c5771364bf29c8c3b2aa4c8ec7afa87814134e830303620b08dc70652adb914

SHA512
8acd2e55c7e54755a276bdaa58a94e3280af037c749b51aca405f861ffca64d5a8852daf825acff626003efa07430f0e7936a545551cdc457b79177dbdea3a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
504B

MD5
40a5eed96ce71dbd75c6adacfb62c754

SHA1
b385350e2464211a6020646088c7fdbb790ef617

SHA256
aba11078b8e5c6e42bade03c8720bffe70a5e3536c56a43dc36489f81e906103

SHA512
14ba1b9f347b6a127d12796afdd187e802de8d876ba6a0bf4005afa596bfc2e408b6d6983fca283c44fbe4d278b62f8405da2a743b5d727e3327dbcc3429ff3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
624B

MD5
582d26fd7fb2bda99cdd6ab8baffd7e9

SHA1
0d233988041cc6e2504a0a5626e135f4620d56f5

SHA256
b81ee35ff4bde049926bd2a5ebc82bfaa661111c2db090f0fec925a6632d8a4f

SHA512
3114a5e57b774f16a714c7f723862a2134a8e864c0af2bd302c14d4e4f8b0dcfea4e2c8015fe0d69eb67800bee06e02eaa3be8f46fccfaf3bb77009cd6b385e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
ef00c43d097dc80761bbc8df12f266b0

SHA1
c4638374a20a774d8b6b3ff5f206f279f4d6f753

SHA256
7264cb676bc039e006252a1f858c47fe20397ff13b8768ed089aaa5bb5c786bc

SHA512
f649b23a95b30b6b81ff3a0314eb2fef7d09f749578d05770b52bf085209d740969be65ab3003aa42aec1bf11b7d95a86fe944bee51fb696b132ef94e6ed51cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
f9918e7a1a2d864cb5c573655146d616

SHA1
518d0382ed906f9f701815707637c073ba922c05

SHA256
7a1a50b6d29e1235ca06ae49cd02f799930d90a0d19b1a72ab6daa0d8dfe89c6

SHA512
5968442f22c9ac8cc3a2ec0f59165c56cd03838a6e01074dfe703b58b9e4acf470564362d6b2d42040612ff89c81afde99865c2545ac3836097f24228c43cce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
15296e59ff084076e952c7de4ae7ca6b

SHA1
94572b5352a207706f24de9d2fc736252dc82a0f

SHA256
be6b86141bd84ba898a871845dcf89ae8d88b62673de0f98c2bfabbd6b6cbc6e

SHA512
fa25d287e9f41e43904818d11aab9edeae42df88583c793e865df119da52b1e51af59b8f1f3bf88f118bfc4f59a10f9ecbbf2c9518539141de6cc7171d7468cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
705B

MD5
97d5a515b26524cc52d2ce26a51662cb

SHA1
70deb16701427ee4a3a36f332a2276fbdccaca12

SHA256
de9e36f4da53ac6fcf9c2629b9be2035693791660a5b38a3f5894b20d06f25d9

SHA512
9ceac5a35dd959389946503d2e4438303202dffd47bf08a7b4bc59c9ae8e8505456f76ffa72efd857cc8fc293aa23d40869ec105c90ef2d44c76763e625a20ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58fcd9.TMP
Filesize
705B

MD5
087ee318b65ed91d0fc9ec650b937c46

SHA1
0ded55e950139dc97f7865f0d2fa9b01c35b8876

SHA256
5f3c71284a6b52cd016b38f4b100ff5b4a97882147afe8fa4dece5c730b4aa77

SHA512
65770b73814e4fcd79093e2558745c9003d7bb32fad17abb35f1ea4529d45e80ebe7f5c7af39940557108889b0aad48a43370e42599fcac6a54987cb7ad7a43c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
843a84481e47a0c64982cb0d8b9f08cc

SHA1
c79d8eb2010452f5f901c447581645716188a7eb

SHA256
946a4f1eb79a43b0dfdc4e0506c720e268d1ae501e282f24fdad56cfed2dfc5a

SHA512
93dfc760402ef697bbb662d7db5c295c7dec05d29e379f86706eab5554717d931f3f1abe23531dc582a380aedcd28e57646ce75d9ff8ce62ac8090917d0be229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ab0c6786b47fb52db026d474d819eb29

SHA1
86be49c875e3c671a9c1a968ddc0ce056b26ce4e

SHA256
7c734a977e83a59664d90bc3e513686238b732040df77f87639be17e30b69d4a

SHA512
b2a740120648e816bdca133c58e94ac945c8ce246cf8bde8dd0b3a34736025cba0aae185b2f1b6f524c17cb6ce92ae40eb18fc3a86977044a049e54b20f1afb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405231007291\additional_file0.tmp
Filesize
2.5MB

MD5
028fb19ee2cea3e611b4a85ac48fafbc

SHA1
d1a802b5df649282e896289b4ec5df8d512b53dd

SHA256
e8fa79e22926ae07a998b5d2bb1be9309d0a15772ac72b88f4eed66052f33117

SHA512
99959d7765c1e6636dee1841f214cb2d0c7684d7128381b0387fa9c7ef4a92ef62bb094087bdcb343e44196b5a333df3a2104ced9f49671197a06fafa27aff51

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405231007291\assistant\assistant_installer.exe
Filesize
1.9MB

MD5
b6789061eb88781add48ec7095ff78e5

SHA1
c2cdf5723a94b3b5a69ad78a5e869347444abe0b

SHA256
c39c7199fa2221783ea61f085f484668e3c452706069b046cb0f4a9d4cb4c0a3

SHA512
7c9a61c7f8d45fb7a2591c0c57c22bca0b527e3b6b4a3bdde5fbdcca25abc1e0c56a244a39d4b65a91316eb8f19fb8232569f5781eedefbc0898646d4df10f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405231007291\assistant\dbgcore.dll
Filesize
166KB

MD5
a4ed3b36776e0155fd24ffa609ffc2f4

SHA1
3d6496f21e0f04b6789365d06e71fe7de284b1c0

SHA256
b69387b9284dc36d377e4066c4cf361dc65efc6c784af0f8666d9684fabd2d29

SHA512
ae5d052fdcc7e7d3e593a1fb2dd5e64fcd75c7381ff4e4c5f4302d8d3c058a48c943c66d04c02d44d45c2bda36b3d3df096dfea26fc35d3c682bdd5221225e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202405231007291\assistant\dbghelp.dll
Filesize
1.7MB

MD5
fa64324149160877768551fd96c360dc

SHA1
dd76ebe617271465ae5820f49152f8a89703ae1a

SHA256
7f4a2cff90524b769781b763077be198d74834c6b576ef9f27132a415cbbaca8

SHA512
72161c1b0449f546e2a3560369f5cebbe71c5f098efb4037a9ec229310082b0fab2de10b8a0f94b0213d5119cd9ff66daeaa73ca2163ba0224b5cd8526f7bbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2405231007278946068.dll
Filesize
4.6MB

MD5
b88c2599046edc2f33dc91bdfee239ce

SHA1
53a62d5c427f236d49bae08a25c77ab553035db3

SHA256
04fbfc09db7df076f19cfdc2a0e5b177bef0efa3d3c3cce0605c370a1ca3759a

SHA512
6450db188e75e8bbd066f9b3aa0289869635974a8a96fcaf2c7908323bf7c37fcffdf246c95c89d9cac4090dfbf0c15b68dec602744b3266e9294359f6cf51c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\OperaSetup.exe
Filesize
2.8MB

MD5
3f2e991814b95dd5ba66393d82ce7a47

SHA1
42f329315da7277dc0b56b56b417264d1fb39668

SHA256
09d019a50076cd5397e59a5e023857f0de4d35a203c0457e2366bbf60f8384f0

SHA512
427b6e0172dce96dfc1648ab64db07bd36ad62f10452098ca50b658d724dcf89efd7f9a74659f6ffbd71acdbd4f56bd1281128489d42460cf3f37a92fdf500c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\idp.dll
Filesize
228KB

MD5
9a83f220bf8ca569e3cfa654539a47a4

SHA1
9d1fb7087c12512d5f66d9d75f2fbae8e1196544

SHA256
b1c4c9b2dd6a40974fa8789b218b52d967f5ccd1b47e95b4f6bda4b6ce864d0d

SHA512
9b6460aca9720a4762a28e78a0e5f3e7358f73383926caf7f4a071e66c79f1032abd131432387f108de27894c147e2f34f01b094b6688826ce78f007d9dafbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HGABD.tmp\winx-dvd-ripper-bawa.exe
Filesize
12.0MB

MD5
4bdafb4122cbcb0570ce34804bd56ddb

SHA1
4597d0b2a2c0a9a589cba5cdda3f509e2f81c947

SHA256
a385edb3ca4116e434a7d3e77ddbc4f5b8fce1c5c710550cbc9d1fbf4e543f04

SHA512
42543cb31a7ed3f8d0d32275b7b1a1bf1236ab13226073bc2c2dc285e17b9f1a0cabff80e9b4b6cbf7cacbdeea5cffb0046df81aea357d89d09fc43f3d6df4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UOUN6.tmp\pdfshaper_free_14.1.tmp
Filesize
3.0MB

MD5
57fe8f01950c060b1399c71e5c13298a

SHA1
9d50987c81e5e050f834897c5a177a6254f45aaf

SHA256
ceb83d7df26baec654052c709373a0576ac235617e1d809b1954bf6e6ac4de4c

SHA512
d2aee6046d017e4b1954a3a40d711c2771af53a68e57ac646fc19827ad2a5712dbd6f66dcaf815469207c317a305ac9c270c82a124005dce57b0fc1eaeaf50be

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
c348e1329aad8601546be6122f2ae26d

SHA1
c6b4434e2cbe23b96519e5d6524e9d5a472430b8

SHA256
863b1d3bca03d8403bd57655817e03b043f7ccd0636485a2a968aa1f98f2d7df

SHA512
aea4819191a60c8947a8db0c579685387bf751ef5dda16ab8715bb452b1664cb458f5a963297ea967fd10810cc54942e43063d7a3da9ca11c33273897bd1fcde

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 348445.crdownload
Filesize
8.0MB

MD5
d786f7ea88cbdc1f6a9733ca4bb7fc59

SHA1
2537b5f0ecaf48ce48c14a6e9270a9c72f839b75

SHA256
16143d70158e1e6002134d7edd093683d51a0f31461c3c81e3f5fcb13f18c3ee

SHA512
b7e59e26567285c93863db26821e908ddd53ea9de9495b94a619bc40f5cbbd371f6ebc0afee542b4f1945087a87ea904f5b3c9c3f975ccd8a0a599c5217dc30b

Download Submit
\??\pipe\LOCAL\crashpad_4688_HVOHTOGECCRCDBDH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1348-362-0x0000000000780000-0x0000000000CB5000-memory.dmp

Filesize
5.2MB

Download
memory/1616-311-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1616-280-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4200-345-0x0000000000780000-0x0000000000CB5000-memory.dmp

Filesize
5.2MB

Download
memory/4200-495-0x0000000000780000-0x0000000000CB5000-memory.dmp

Filesize
5.2MB

Download
memory/4408-342-0x0000000000160000-0x0000000000695000-memory.dmp

Filesize
5.2MB

Download
memory/4408-337-0x0000000000160000-0x0000000000695000-memory.dmp

Filesize
5.2MB

Download
memory/5548-527-0x0000000000400000-0x0000000000F31000-memory.dmp

Filesize
11.2MB

Download
memory/5820-188-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5820-221-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5820-513-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5928-275-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/5928-492-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/5928-500-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/5928-222-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/5928-235-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/5928-323-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/5928-310-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/6068-493-0x0000000000780000-0x0000000000CB5000-memory.dmp

Filesize
5.2MB

Download
memory/6068-318-0x0000000000780000-0x0000000000CB5000-memory.dmp

Filesize
5.2MB

Download
memory/6132-494-0x0000000000780000-0x0000000000CB5000-memory.dmp

Filesize
5.2MB

Download
memory/6132-325-0x0000000000780000-0x0000000000CB5000-memory.dmp

Filesize
5.2MB

Download